Advanced Mobile Forensics Blog Cell Phone Forensics CelleBrite Chip Off forensics Document Discovery eDiscovery Electronic Discovery iPhone Forensics Law Enforcement Location Data Forensics Mobile Forensics Tablet PC forensics

Apple Forensics – iPhone, iPod, and iPad Forensics

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

Blog Cell Phone Forensics CelleBrite iPhone Forensics Malware MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics Tablet PC forensics

Android & iPhone’s Growing Malware Problem – MFC 2012

Wednesday mornings keynote speaker was Chet Hosmer. Mr. Hosmer is the Chief Scientist at Wetstone Allen. The realm of digital and network security has changed dramatically. Think back to before smart phone devices, as a network security manager. You only had to worry about the network locally within your firewall. With the boom of smartphones and mobile workforces the realm of protecting your companies data and infrastructure has grown to be almost uncontrollable.

The latest corporate buzz word is BYOD (Bring Your Own Device). When you have a BYOD policy within a company you are allowing more uncertainty into the work place by allowing unknown devices to access your systems, email, and confidential documents. You do not know what OS the device is running, what applications are installed, if encryption is enabled, or if the device is already compromised. As a network administrator you can try to control everything within your firewall, but how do you control a mobile worker with their own personal device?

Infected smartphones is not new. Today Android OS devices lead the industry in this epidemic. They lead this epidemic because they are an open sourced OS and because their App Marketplace relies on users vetting out bad applications. When dealing with iPhones you have a OS that is proprietary and leaves the public guessing as to what the 10+ million lines of code really are. Having these 10+ million lines of code confidential protects (somewhat) Apple iPhones from giving hackers exploits in their OS.  By no means am I saying iPhone users do not need to worry about malware or trojans, because they do and it has happened.

iPhone recently had a hot selling app called Flashlight. The actual flashlight didn’t really do anything special, but people were paying for the app anyways. It took 4 weeks for Apple to realize that this app was a Fake app and people were buying it because it provided users a tethering options via a Trojan exploit into the iOS.

Android had a major outbreak of malware recently that was found in 100’s of apps. Google Bouncer found some of them, but its easy to look at the data and realize it didn’t vet them all. Some of these apps that were infected were Dice Roller, Chess, Super Ringtone Maker, Best Password Safe, Advanced Compass Leveler, Piano, Quick Delete Contacts, and many more. This specific exploits in these apps used RATC (rage against the cage). RATC allows the malware to be installed and install unwanted apps or steal data. Here is how RATC works:

1. Finds dbug server (adb_server) & process ID

2. Kills adb_server (auto restart)

3. Server auto restarts and beings to execute root access.

4. RATC races to reduce the number of allowed processes in the adb_server.

5. Two system calls are made:

A. setgid (AID_Shell)

B. setuid (AID_Shell)

Within step 5 the calls fail. This exploit is here because the programmer never checked to see if the calls would give a return value. Mr. Hosmer made this statement: ” Programers that do not check return values equal dinosaurs because they become extinct.” A Android OS code line was the exploit and it was found when these two calls were made when the adb_server was rebooting and accessing root.  When this failed it would leave the system running in root and give the malware free reign.

Below are a few malware, trojan, and fake apps that have been found with in mobile OS devices.

BASSBRID – Trogan – Set up to steel personal data

JIFAKE.F – Trojan – Version of Jimm Mobile ICQ Client. This would set up SMS messages to send to a premium service and charge the user $4-$6 per message on their bill. This was the first malware known to be installed by having the user scan a QR Code.

BATTSTATUS – Fake App – Sent personal data to remote servers.

Ginger Master – Root exploit

Rabbiddog.A – Malware – Sends SMS messages to all of your contacts the following message ” I take pleasure in hurting small animals, just thought you should know.”

Not discussed by Mr. Hosmer was the availability of Spyware. I am not referring to Spyware that is downloaded like a virus, but Spyware that can be purchased by someone and installed on to a phone for monitoring or calls, texting, location, email, and web history. This is a teaser for a future blog post, but I have had several cases within the past few months where Spy software was purchased and installed onto a target smartphone. It is out there and it is VERY powerful. The scariest parts is that you will never know its there with the naked eye.

Here are some of my final thoughts on this situation. The growth of malware and trojans on mobiles phones is growing at a rapid pace and no OS is going to be completely safe. When a corporation is concerned over classified information or intellectual property the policy of “bring your own device” should be shelved and the company should provide devices that can be managed by the network IT guys. This allows you to manage which APPs are downloaded, what information is stored on the device, and it gives you the ability to wipe the device if it is lost of stolen. Each OS has its benefits and both have their minuses. I think their will always be a need for open sourced mobility to accelerate innovation in mobility. With acceleration comes risk and the need to manage and assess those risks.